6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1

General

Target

6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
Size

554KB
MD5

94d229fc107533eb550d04b03cc41afb
SHA1

7b4acea67134d35d128620ae94a4dbe38287b37b
SHA256

6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1
SHA512

7b2cd57aeb97d43ac50c5d942a6bd83cbda8e0bc8f2c2f25b6a0fb150108ec5900c8cfcf1fd347f3b4f5d2b1eb9ec6bae41f12881e8927fd2130ea3ccd772ffb

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asrfivuf = "\"C:\\Windows\\gqukwbaj.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe

description	pid	process	target process
PID 852 set thread context of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 1592 set thread context of 956	1592	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\gqukwbaj.exe explorer.exe
File created C:\Windows\gqukwbaj.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2020 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\gqukwbaj.exe	explorer.exe
File created	C:\Windows\gqukwbaj.exe	explorer.exe

pid	process
2020	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe

pid process

852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 848 vssvc.exe
Token: SeRestorePrivilege 848 vssvc.exe
Token: SeAuditPrivilege 848 vssvc.exe

pid	process
852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe

description	pid	process
Token: SeBackupPrivilege	848	vssvc.exe
Token: SeRestorePrivilege	848	vssvc.exe
Token: SeAuditPrivilege	848	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exeexplorer.exe

description	pid	process	target process
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 852 wrote to memory of 1592	852	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
PID 1592 wrote to memory of 956	1592	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	explorer.exe
PID 1592 wrote to memory of 956	1592	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	explorer.exe
PID 1592 wrote to memory of 956	1592	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	explorer.exe
PID 1592 wrote to memory of 956	1592	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	explorer.exe
PID 1592 wrote to memory of 956	1592	6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe	explorer.exe
PID 956 wrote to memory of 2020	956	explorer.exe	vssadmin.exe
PID 956 wrote to memory of 2020	956	explorer.exe	vssadmin.exe
PID 956 wrote to memory of 2020	956	explorer.exe	vssadmin.exe
PID 956 wrote to memory of 2020	956	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
"C:\Users\Admin\AppData\Local\Temp\6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
"C:\Users\Admin\AppData\Local\Temp\6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:2020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ywynugoxasijikec\01000000
Filesize
554KB

MD5
bf11c991683912c35bd9afcd551cc645

SHA1
e20f27466a44e669bfa9171aef106eeaa14041a5

SHA256
3a9ac6ca1da9c3060a45d7946da6cd42e513df398f284616ba1f30b6aabeccba

SHA512
de342f71333dd324cbcc29c08d5f1b05ad1b8ea0d4c602298a36406cf863a9ffc1cb8810c2744aba02210c8758af57e9629b6abd57d9550d389d8814eefb0b1a

Download Submit
memory/852-54-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/956-69-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/956-80-0x0000000072D21000-0x0000000072D23000-memory.dmp

Filesize
8KB

Download
memory/956-78-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/956-75-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download
memory/956-73-0x000000000009A160-mapping.dmp

Download
memory/956-71-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1592-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-65-0x000000000040A61E-mapping.dmp

Download
memory/1592-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1592-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2020-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads